chore: add script to check git history if package-version has ever been used

use script to verify vulnerable npm packages are not part of any of our releases

Author: scott-williams-az

scripts/manual-vulnerability-check/check-git-history.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# This script checks the git history for changes to yarn.lock that include
+# any of the packages listed in "effected-packages.txt"
+
+# example format "effected-packages.txt":
+# @scope/[email protected]
+# @scope/[email protected]
+# @scope/[email protected]
+# [email protected]
+# [email protected]
+# [email protected]
+
+# Usage from the root of your monorepo, run:
+# ./scripts/manual-vulnerability-check/check-git-history.sh
+packages=()
+while IFS= read -r line; do
+  packages+=("$line")
+done < ./scripts/manual-vulnerability-check/effected-packages.txt
+i=0
+for package in "${packages[@]}"; do
+  # modify package string from
+  # @scope/package@version to @scope/package@npm:version
+  # package@version to package@npm:version
+  package=$(echo "$package" | sed -E 's/@([0-9]+\.[0-9]+\.[0-9]+)/@npm:\1/')
+  # show progress
+  echo "Line $((i+1)): $package"
+  # search through git log for changes to yarn.lock
+  # that include "package@npm:version"
+  git log -p --all -- yarn.lock | grep -A 2 -B 2 -E "$package"
+  ((i++))
+done